Folks who work in the Internet security industry know that the principles underlying various up-and-coming identity technologies such as Microsoft's CardSpace have arisen from something called the "7 Laws of Identity". If you're not familiar with the seven laws, you can find them at Kim Cameron's blog at this link: http://www.identityblog.com.
An excellent and well-written reflection on the first of these laws can be found at Bob Blakley's blog. Bob was the former chief scientist for security and privacy at IBM. He currently works as an analyst for the Burton Group. His thoughtful remonstration, titled "The Meta-Identity System" is partway down the page at this link: http://notabob.blogspot.com.
As Blakley points out, Cameron's seven laws aren't really laws; they're better described as seven requirements for identity technologies to work securely and be accepted by consumers. Laws, by contrast, represent the way things happen because they can't happen any other way. Viewed in light of Blakley's deconstruction, Cameron's identity laws might better be described as comprising more of an "identity etiquette", or "identiquette", than to forming a framework of immutable identity truths.
So, to help remedy the absence of a compilation of such truths, Deep Think Diving would like to nominate the following Ten Intractables of Identity Management as a starter kit. Some of the principles found in the kit might well be considered laws (or better yet 'flaws') but won't be rolled up as such in deference to Cameron's prior claim to the namespace.
So, offered here for your perusal ...
The Ten Intractables of Identity Management
Intractable #1: The Law of Low Assurance. “High assurance” Internet technology, placed in the hands of the average consumer performs with low assurance. Think seat belts. Seat belts are an easily grasped and easily mastered safety technology, yet nearly one-third of drivers bypass the technology even though the risk factor is no less than death itself. Imagine how great the percentage of consumers must be who “opt-out” of learning, understanding and properly employing digital security methods. As an industry, it’s important that we grasp the back pressure of this recalcitrance, as it represents the limiting factor to the success of our cyber security efforts.
Intractable #2: The Law of Innocence. Like freshly-hatched turtles hurrying for the safety of waves, a significant portion of web users at any given time are newly-minted (soft-shell) webphibians destined by mere innocence to end up lodged in the beaks of cyber-gulls. Any comprehensive solution to Internet identity security should give special focus to helping these maiden voyagers succeed in their initial dash across the sand.
Intractable #3: The Law of Over-Confidence. With every increase in the ability of a technology to create user confidence in the source of an email or website, the more convincing (and therefore destructive) the inevitable impersonation of that email or website will be. I sometimes think we have it backwards; we should make all emails and websites look patently fake and threatening so that consumer vigilance never flags. Websites could replace their Verisign and Trust-e logos with logos that say, simply, "Thug-4-life". Sure, e-commerce would slow to a crawl, but no one would be caught napping.
Intractable #4: The Law of Inattention. The more a technology requires a consumer to remain vigilant to security cues, the greater the security gap that will result from an indifferent consumer’s inattention to those cues. Most cyber criminals rely not on breaking cryptographic algorithms, of course, but rely instead on the indifference, inattention and confusion (and, of course, greed) of the consumer. Any technology that can be undermined by these consumer traits will be undermined. (Interesting how the Law of Over-Confidence and the Law of Inattention seem somewhat opposites, yet have the same consequence.)
Intractable #5: The Law of Latency. Phishers, Pharmers and those Nairobi bank managers fretting over unclaimed millions all benefit from an ability to bring their (sin)novations to market more rapidly than the industry’s defensive forces can be mustered. A lone “UniPharmer” therefore will always be more nimble, prolific and effective than any engineering team or standards committee could hope to be. The solution here is to help cyber-scammers organize into fraternal organizations so that their efforts can be bogged down and confused by development schedules and design reviews.
Intractable #6: The Law of Inverse ROIs. E-commerce establishments that adopt identity security solutions are required to make large investments up front while only guessing as to the actual return, which, in fact, may prove to be quite small. Cyber-scammers, on the other hand, face only a small initial investment, the return on which can be expected to be quite large. Phishing and pharming, then, employ better business models than legitimate businesses and will therefore always command an inordinate market share.
Intractable #7: The Law of Misguided Validation. I wonder sometimes why we focus our efforts so heavily on improving methods for validating bona fide emails and websites. Someone should point out (okay, thank you, I will) that validating the good stuff adds no direct value to Internet security. Why? Because bona fide emails and websites pose no threat to the institutions and consumers that use them. Identity and authentication technologies should instead be measured by how they improve a consumer’s ability to directly invalidate fraudulent emails and fraudulent websites. This rule suggests that a technology might best be targeted toward automating, rather than teaching, an invalidation protocol. Currently, the leading technology for invalidating fraudulent emails and websites is the consumer himself and the results of that technology have been less than salutary.
Intractable #8: The Law of Unreasonability. Don't believe for a second that what is unacceptable in the real world can remain acceptable in the virtual world for very long. Imagine how you would feel if some sizeable portion of your snail mail is in fact an attempt to ensnare you into an illegal scam. Imagine, too, that your only defense is to hire your own private security force to help the postman sort through your mail and escort it to your mailbox. Now imagine that, even with your private security force, a goodly portion of the illegal post still gets through. In cyberspace, this is how we do things -- the private security forces being Symantec, Verisign, Messagelabs and similar providers. Eventually, this militia-packed cyber-Somalia will need to be pacified into a strong, centralized public service.
Intractable #9: The Law of the Missing Goodwill Agency. Notice that the concept of “goodwill agency” that is realized in the real world seems absent from the virtual world. In the real world when we need help or protection we enjoy the support of many goodwill providers. If we need a stray cat rescued, we call the Humane Society; if we have a flat, we call AAA; if we need food and clothing, we visit the Salvation Army. E-consumers need goodwill agencies populating the Internet that will respond to them and help protect them individually from identity fraud. If a consumer receives an email that she questions, there should be a well-known URL where she immediately can go to have that email validated or invalidated. This site could be a pro bono validation service organized in the public interest (perhaps funded by financial institutions?). So far, such goodwill agencies have failed to sprout up on the Internet. It's worth noting that in the real world, too, humanitarian forces fear to tread where private security forces thrive.
Intractable #10: The Law of Non-Deterrence. Net neutrality is a passionate rallying cry, but on its dark underside it's also a cyber-scammer’s best friend. Can you think of a time when any kind of criminality was stopped dead in its tracks by the long arm of the forces of neutrality? What the Internet needs is a true movement toward software in the public interest. No, not the ethically-insipid movement toward open APIs, but an ethically-imbued movement toward software development on behalf of the public weal. I'm talking geeks saving damsels from oncoming trains; geeks rushing into flaming buildings to rescue kittens; geeks getting the woman at the end of the show (or the man, or free MSDN Premium, or whatever). Yes, I'm talking the stuff of prime-time network television here. Can't you see it: "Law and Cyber Order".
Got popcorn?
No comments:
Post a Comment